Don’t trust that text: How the iPhone SMS spoof works

Late Friday, a blog focused on iOS security research claimed to have found a severe security flaw in iOS. It’s not a way to install malware or otherwise run destructive code, but it is an effective way to create fraudulent text messages that could be used in phishing schemes. While any phone that uses SMS text messaging is vulnerable, UI aspects of the iPhone make it a particularly tempting target. Since then, Apple has claimed the vulnerability lies in SMS technology, not iOS, and that it has no way of fixing it. So how does such a gaping hole in SMS security work?

As pod2g’s security blog explains, the vulnerability originates in the Protocol Description Unit system that’s used to transmit text messages. When you create an SMS message on your phone and hit the Send button, your phone translates the message into PDU terms, tosses it across the network to its recipient, and the phone at the other end catches the bundle of PDU code and translates it into whatever display format the recipient phone uses. But if you’re handy with raw code, you can bypass all the technology that UI designers have worked so hard to make nice and instead create a message in raw PDU text format.

That’s where shenanigans can begin. Just by typing a few words into a text string, a nasty spammer can change the User Data Header in the PDU code, and make it appear to the recipient that the text is coming from their beloved “Mother,” “The FBI,” “Messengers From Space,” or any other recipient they choose to specify. So you could get a message from “Mom” asking you to “Please log into this bank site so we can pay for your Uncle’s kidney surgery” or some other piece of phishing trickery. Even more maliciously, someone who knew the name of your trusted contacts could send, for example, a message that appears to be from your buddy Dave claiming to have had an affair with your house-pet, driving you into a jealous frenzy for nothing but their own amusement. More seriously, courts have used SMS messages as evidence, so this scam could be used to falsely prove that someone violated a restraining order, or is engaged in criminal conspiracy.

The iPhone is especially vulnerable because of its SMS user interface. In a typically Jobsian pursuit of cleanliness, the iPhone doesn’t display the phone number of whoever sent you a message, only the name of the sender. So if “Uncle Jed” is texting you from a phone number in Kazakhistan, there’s no way to tell that you’re getting messages from a suspicious number. Obviously, the iPhone isn’t the only phone to keep those ugly integers tucked away in the pursuit of elegance, but it’s by far the most prominent, and therefore the one with the most to lose if its interface gets regarded as a security risk.

Apple has dealt with phishing vulnerabilities on the iPhone before, as well as phishing scams built around the Apple ID. Unfortunately, this vulnerability is inherent to the SMS protocol, making it much harder for Apple to unilaterally fix it. Seth Bromberger, a security consultant at NCI Security, suggests that the iPhone should display an originating number but it’s hard to imagine Apple cluttering up its clean lines with the kind of numeral strings that we all stopped remembering the day we got a built-in contacts list. For now, Apple has issued a statement telling users to be careful, and mentioning that hey, by the way, if you and all your friends just used iPhones exclusively then you would automatically be texting with the iMessage system, where these problems can’t happen. So perhaps the solution to this iPhone vulnerability is to buy an iPhone for all the people who might text you. Everybody wins.